Here's Why security experts say Zero Trust might be the best way to stop data breaches.
What Is Zero Trust? A More Effective Security Model
The Zero Trust Model Beginnings
The Zero Trust Network, or Zero Trust Architecture, model was created in 2010 by John Kindervag, who at the time was a principal analyst at Forrester Research Inc.
Now, ten years later, CIOs, CISOs and other corporate executives are increasingly implementing Zero Trust as the technologies that support it move into the mainstream, as the pressure to protect enterprise systems and data grows significantly, and as attacks become more sophisticated.
What is Zero Trust?
Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.
The strategy around Zero Trust boils down to don't trust anyone and cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized.
Why Zero Trust? Consider these statistics:
The 2019 Annual Cybercrime Report from Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.
Meanwhile, the 2020 Data Breach Study, conducted by Ponemon Institute and sponsored by IBM, found that the global average cost of a data breach is $3.86 million. These figures come despite organizations spending more and more on their cybersecurity efforts. Gartner Inc., a tech research and advisory firm, pegged worldwide spending on information security products and services at will hit $123.8 billion in 2020.
Recognizing that existing approaches aren't doing enough, enterprise leaders are searching for something better – and are finding that the Zero Trust model can deliver the best results.
The Zero Trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn't pose a threat and therefore was cleared for access.
Security and technology experts say the castle-and-moat approach isn't working. They point to the fact that some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance.
Experts say one of the inherent problems we have in IT is we essentially trust way too much. That's why the internet took off – because everyone could share everything all the time. But it's also a key fail point: If you trust everything, then you don't have a chance of changing anything security wise.
Bad actors and malicious threats aren't the only factors driving this new model. Experts say that today's enterprise IT departments require a new way of thinking because, for the most part, the castle itself no longer exists in isolation as it once did. Companies don't have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users – employees, partners, customers – accessing applications from a range of devices from multiple locations and even potentially from around the globe.
All these macro changes have led to this new model. It's led to the question, how do we secure ourselves in this new model? In this new world, the new firewall is close to the asset you're trying to protect.
The technologies behind Zero Trust
The Zero Trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment. It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise.
The first thing is to understand who the user is. Let's really make sure this is John [for example] and let's make sure we understand what endpoint John is coming from – is it a known secure endpoint and what is the security status of that endpoint? And now let's have a conditional policy, a policy [specifying] someone can have access to something.
To do this, Zero Trust draws on technologies such as multifactor authentication, IAM, orchestration, analytics, encryption, scoring and file system permissions. Zero Trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task.
Let's take network segmentation and next-gen firewalls and put them down in segments and control who, what, where and when someone connects. We need to design from inside the network out vs. outside in. As is the case with IT in general these days, Zero Trust is not just technology; it's about process and mindset as well.
Getting started with Zero Trust
A number of enterprise IT shops are already doing many pieces of Zero Trust, experts say. They often have multifactor authentication, IAM, and permissioning in place. They're also increasingly implementing micro-segmentation in parts of their environment.
Yet developing a Zero Trust environment isn't just about implementing these individual technologies. Instead, it's about using these and other technologies to enforce the idea that no one and nothing has access until they've proven they should be trusted. You're going to decide strategically that this helps and you start buying technology to put in place that allows you to achieve that goal, however the real landmine is to try to throw technology at the strategy and hope you get it right. It's better to embrace the strategy and then leverage technology iteratively.
Not surprisingly, organizations will find that getting to Zero Trust is not an overnight accomplishment. Nor will it be easy, particularly if they have legacy systems that don't transition well to this new model.
Many companies are moving to cloud and, thus, green field environments. Those are the perfect places to go to Zero Trust and is a great place to start your Zero Trust journey. Organizations, particularly larger ones with complex IT environments and legacy systems, should see the move to Zero Trust as a multiphase, multiyear project. Another challenge in moving to Zero Trust is getting staff to think in this new way.
Most organizational IT experts have been trained, unfortunately, to implicitly trust their environments. Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment.
Organizations also need to understand that Zero Trust requires ongoing effort (as does any other successful IT or security protocol) and that certain pieces of the Zero Trust effort may create more challenges than others, according to experts. For instance, the ongoing work that come with micro-segmentation, where teams must be sure to configure changes properly and update changing IP data to ensure there's no interruption in the access required for employee work or corporate transactions. Otherwise, organizations could be dealing with a work stoppage.
As a result of the complexities of applying Zero Trust to legacy and existing environments overall, companies really haven't been able to fully implement this model, says Kieran Norton, a principal in the Cyber Risk Services practice within Deloitte Risk and Financial Advisory. So Norton says he advises organizations to build Zero Trust "by design, not by retrofit." In other words, they should pursue the Zero Trust model as part of their overall digital transformation strategy, implementing the technologies that can help them achieve Zero Trust as they move more to the cloud and thus retire old legacy systems.
Moreover, Norton says the move to Zero Trust should involve the CISO, the CIO and others in the executive tier so they can prioritize what moves to this model and which pieces of their environment can wait. "I think about this as infrastructure transformation," he adds. "Information security hasn't kept pace with this digital transformation/modernized environment. But you have to transform how you manage security. You want to think about ubiquitous security, you want to be predictive, so you really need to be thinking about it differently."